Full Report
Cybersecurity researchers said they saw Medusa attacks launched by members of Lazarus — a well-known North Korean hacking operation housed within the country’s military — against a company in the Middle East and a healthcare organization in the U.S.
Analysis Summary
# Threat Actor: Lazarus Group (North Korean State-Backed Operation)
## Attribution & Identity
Group identified as **Lazarus**, a well-known North Korean hacking operation housed within the country's military. The specific actors deploying Medusa ransomware are *believed* to be members of the **Andariel Unit**, which is commonly cited as a subgroup within Lazarus/RGB (Reconnaissance General Bureau).
**Known Aliases/Associated Subgroups:** Andariel Unit.
**Individual Mentioned:** Rim Jong Hyok (an alleged member of Andariel, indicted by the US for past Maui ransomware attacks).
## Activity Summary
Lazarus members were observed launching financially-motivated attacks using **Medusa ransomware** against at least two organizations. Symantec attributed these recent attacks to Lazarus due to the use of custom tools exclusive to the group.
**Historical Context:**
* Previously utilized other ransomware strains, including **Maui** (reportedly developed by Lazarus themselves) and **Play** ransomware (in collaboration).
* Lazarus/Andariel actors were behind widespread ransomware attacks using Maui against U.S. healthcare organizations in 2021 and 2022.
* Prior attacks targeted: US hospitals, healthcare companies, US-based defense contractors, US Air Force bases, and NASA’s Office of Inspector General.
* In October 2024, actors believed to belong to Andariel launched three other financially-motivated attacks in the U.S. where ransomware was not successfully deployed.
## Tactics, Techniques & Procedures
- **Ransomware Deployment:** Use of the **Medusa ransomware** strain (shifting from custom strains like Maui to RaaS offerings).
- **Custom Tooling:** Use of **custom tools exclusively used by Lazarus**, including a backdoor tool and malware.
- **Data Exfiltration/Theft:** Deployment of a **Chrome browser password extractor**.
- **Operational Shift:** Transitioned from developing their own ransomware (Maui) to using **Ransomware-as-a-Service (RaaS)** offerings like Medusa.
- **Funding Cycle:** Proceeds from past ransomware attacks (Maui) were used by actors like Rim Jong Hyok to purchase servers subsequently used for cyber espionage attacks.
## Targeting
- **Sectors:** Healthcare, General Corporate (Company in the Middle East).
- **Geography:** United States (U.S.), Middle East.
- **Victims:** A healthcare organization in the U.S. and an unspecified company in the Middle East.
## Tools & Infrastructure
- **Malware Families Used:** Medusa ransomware, Maui ransomware, Play ransomware (previously associated), custom backdoor tool, Chrome browser password extractor.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed or provided in a defangable format in the summary text.
## Implications
This activity confirms a strategic shift by Lazarus/North Korean state-sponsored actors toward leveraging **Ransomware-as-a-Service (RaaS)** models for financial gain, potentially indicating increased coordination between nation-states and cybercriminal enterprises. The targeting of critical sectors like US healthcare remains a primary concern, as seen historically with the Maui campaign. The use of custom Lazarus tools alongside RaaS products suggests a high level of operational sophistication.
## Mitigations
- Implement robust detection and response capabilities for known Lazarus custom tools (backdoors, specialized malware).
- Ensure multi-factor authentication and strong credential management, specifically guarding against credential harvesting tools like Chrome password extractors.
- Maintain strong network segmentation and prioritize defenses for critical infrastructure components.
- Monitor for TTPs associated with Medusa ransomware deployment, which appears to be the current preferred strain for financially-motivated activity.